Settings / Passwords shows 179+ compromised passwords - 1Passwords does show only 1 - WTF???

[Gwendolini]

Hello.

As many of you do not know, I have too many internet accounts and passwords, but thanks to Keychain and 1Password, I can manage my addiction quite well. Every account has a different password (thanks to 1Password's "reused password" feature) and they are rather complex.
As I also have devices within my internal network, some of those passwords do not need to be 42 characters with symbols and numbers, sometimes 5t#6y does work for a local share volume. But those passwords get stored inside Keychain and 1Password as well.

Anyway, the iOS Settings / Passwords does show, that I had around 186 compromised passwords, I remedied that and am down to 50 something. But since only iOS is showing this and Monterey is still not out yet, and I want to use a Mac for password changing, due to easier workflow, I thought maybe 1Password does show me compromised items, and it did - 1 item.

What does Apple use that 1Password does not use?

Anyway, I probably have to change my MacRumors Forums password too, maybe it works, maybe it doe

 

[MarkC426]

Why are so many compromised.
Has 1password been hacked or something?

 

[Apple_Robert]

More than likely, Apple uses a different algorithm to determine vulnerability. That could explain why 1Password only sees 1 compromised item. If most of the compromised alerts from Apple are from local devices accessing and sharing files locally, I wouldn't worry about it.

 

[NoBoMac]

Odd, in that both services pretty much work the same way. They take a snippet of the hashed password and compare it to a list of all known compromised passwords. A snippet match causes a full value compare to occur on the device.

So...

I might use the password "abcd" on Site A which is compromised, you have same password, but is on Site B which is not compromised. You should get a notice about compromised password in that it is an exposed value and can be used for a brute-force attack of Site B.

Not sure if Apple is doing additional processing. For example, checking the user-id to see if that was exposed in a data breach, like the haveibeenpwned.com site does (does not reveal passwords, just that your email was found in these places).

 

[1P_Kate]

Hey, Gwendolini! I work for 1Password and had a teammate pass along your question here so I thought I'd hop in with some initial thoughts on what might be going on. Without having a look under the hood or anything, this is just a best guess, but I suspect you're looking at what we call "Compromised Logins" which are functionally distinct from what I believe Apple tracks. Specifically, Compromised Logins are Login items for sites we know to have experienced a breach that you have not updated since the breach. They aren't comparing against any actual breach data.

Now, I've not personally hopped on the beta train yet and am not all that familiar with Apple's implementation, but based on what NoBoMac above me said, it sounds like Apple is querying against actual breach data. If that's the case, then 1Password absolutely does have a feature like that called Vulnerable Passwords, but it isn't enabled by default because it requires interaction with third parties. You can opt in via 1Password > Preferences > Watchtower, assuming you're using 1Password 7 for Mac. If you have exactly the same data in Keychain and 1Password, then I would expect a far more similar result with this option enabled. You can learn more about the various Watchtower categories here.

Hopefully that helps, but if you have already enabled Vulnerable Passwords or still see a significant mismatch between Apple and 1Password after doing so, let me know. If you'd rather, you can also send us an email and someone on our support team can hop in to help. You can find a Contact Us link at the top right of the page I linked above. If you do write in, you may want to include a link to this thread so that whoever gets your email is able to connect the dots and have the benefit of the background here. And, of course, if we can do anything else to help you on your journey to unique and random passwords for everything, we're more than happy.

 

[Apple_Robert]

Hey, Gwendolini! I work for 1Password and had a teammate pass along your question here so I thought I'd hop in with some initial thoughts on what might be going on. Without having a look under the hood or anything, this is just a best guess, but I suspect you're looking at what we call "Compromised Logins" which are functionally distinct from what I believe Apple tracks. Specifically, Compromised Logins are Login items for sites we know to have experienced a breach that you have not updated since the breach. They aren't comparing against any actual breach data.

Now, I've not personally hopped on the beta train yet and am not all that familiar with Apple's implementation, but based on what NoBoMac above me said, it sounds like Apple is querying against actual breach data. If that's the case, then 1Password absolutely does have a feature like that called Vulnerable Passwords, but it isn't enabled by default because it requires interaction with third parties. You can opt in via 1Password > Preferences > Watchtower, assuming you're using 1Password 7 for Mac. If you have exactly the same data in Keychain and 1Password, then I would expect a far more similar result with this option enabled. You can learn more about the various Watchtower categories here.

Hopefully that helps, but if you have already enabled Vulnerable Passwords or still see a significant mismatch between Apple and 1Password after doing so, let me know. If you'd rather, you can also send us an email and someone on our support team can hop in to help. You can find a Contact Us link at the top right of the page I linked above. If you do write in, you may want to include a link to this thread so that whoever gets your email is able to connect the dots and have the benefit of the background here. And, of course, if we can do anything else to help you on your journey to unique and random passwords for everything, we're more than happy.

Folks, that is good customer service.

 

[Gwendolini]

Thanks for all the replies.

Why are so many compromised.
Has 1password been hacked or something?

That I do not know.
My 1Password password may not be fantastic, but it is excellent and used nowhere else. Hmm.

More than likely, Apple uses a different algorithm to determine vulnerability. That could explain why 1Password only sees 1 compromised item. If most of the compromised alerts from Apple are from local devices accessing and sharing files locally, I wouldn't worry about it.

Yeah, I guess that may be the case, there are some internal devices with easy to guess (for a machine) passwords, and now that I had a good look at them, they seem to be older passwords for one time uses, which of course did repeat the password usage.

Odd, in that both services pretty much work the same way. They take a snippet of the hashed password and compare it to a list of all known compromised passwords. A snippet match causes a full value compare to occur on the device.

So...

I might use the password "abcd" on Site A which is compromised, you have same password, but is on Site B which is not compromised. You should get a notice about compromised password in that it is an exposed value and can be used for a brute-force attack of Site B.

Not sure if Apple is doing additional processing. For example, checking the user-id to see if that was exposed in a data breach, like the haveibeenpwned.com site does (does not reveal passwords, just that your email was found in these places).

As mentioned above, I just realised, they might be older passwords, which have only been used once (for whatever reason), but might repeat for different websites.
And yes, I checked the haveibeenpwned.com website and my important emails have not been pawned, though one of my throwaway email accounts is listed as pawned, which has had a strong password, but the email address is used dozens of times, thus maybe one website with that email address stored has been hacked/compromised and thus this big reaction.

Hey, Gwendolini! I work for 1Password and had a teammate pass along your question here so I thought I'd hop in with some initial thoughts on what might be going on. Without having a look under the hood or anything, this is just a best guess, but I suspect you're looking at what we call "Compromised Logins" which are functionally distinct from what I believe Apple tracks. Specifically, Compromised Logins are Login items for sites we know to have experienced a breach that you have not updated since the breach. They aren't comparing against any actual breach data.

Now, I've not personally hopped on the beta train yet and am not all that familiar with Apple's implementation, but based on what NoBoMac above me said, it sounds like Apple is querying against actual breach data. If that's the case, then 1Password absolutely does have a feature like that called Vulnerable Passwords, but it isn't enabled by default because it requires interaction with third parties. You can opt in via 1Password > Preferences > Watchtower, assuming you're using 1Password 7 for Mac. If you have exactly the same data in Keychain and 1Password, then I would expect a far more similar result with this option enabled. You can learn more about the various Watchtower categories here.

Hopefully that helps, but if you have already enabled Vulnerable Passwords or still see a significant mismatch between Apple and 1Password after doing so, let me know. If you'd rather, you can also send us an email and someone on our support team can hop in to help. You can find a Contact Us link at the top right of the page I linked above. If you do write in, you may want to include a link to this thread so that whoever gets your email is able to connect the dots and have the benefit of the background here. And, of course, if we can do anything else to help you on your journey to unique and random passwords for everything, we're more than happy.

Thanks fo your reply. As for the first part about compromised logins, I may have understood that now, as mentioned in the reply to NoBoMac (above your quote).
I have enabled Watchtower on iOS and macOS, but maybe the data inside 1Password is newer, than all the Keychain stuff and I made sure to use different passwords everywhere since using 1Password thanks to the REUSED passwords feature.

But maybe you could answer me this: when Watchtower is enabled, is there some extra page where compromised logins are shown or something like that? I could swear I did have such a page open yesterday in 1Password (iOS), but cannot figure out, how to get there, though I might have confused it with the iOS / Settings / Passwords ... page. It was late, depending on the timezone of course.

As to my stupidity, I just found the WATCHTOWER sidebar entry in the macOS app. I had to just expand it (it was collapsed). It is late again, depending on the time of getting up.
I guess there is no way to look at the Watchtower in iOS (not settings) like there is on macOS?

Folks, that is good customer service.

I agree completely. But what about reddit?

 

[DeepIn2U]

Hey, Gwendolini! I work for 1Password and had a teammate pass along your question here so I thought I'd hop in with some initial thoughts on what might be going on. Without having a look under the hood or anything, this is just a best guess, but I suspect you're looking at what we call "Compromised Logins" which are functionally distinct from what I believe Apple tracks. Specifically, Compromised Logins are Login items for sites we know to have experienced a breach that you have not updated since the breach. They aren't comparing against any actual breach data.

Now, I've not personally hopped on the beta train yet and am not all that familiar with Apple's implementation, but based on what NoBoMac above me said, it sounds like Apple is querying against actual breach data. If that's the case, then 1Password absolutely does have a feature like that called Vulnerable Passwords, but it isn't enabled by default because it requires interaction with third parties. You can opt in via 1Password > Preferences > Watchtower, assuming you're using 1Password 7 for Mac. If you have exactly the same data in Keychain and 1Password, then I would expect a far more similar result with this option enabled. You can learn more about the various Watchtower categories here.

Hopefully that helps, but if you have already enabled Vulnerable Passwords or still see a significant mismatch between Apple and 1Password after doing so, let me know. If you'd rather, you can also send us an email and someone on our support team can hop in to help. You can find a Contact Us link at the top right of the page I linked above. If you do write in, you may want to include a link to this thread so that whoever gets your email is able to connect the dots and have the benefit of the background here. And, of course, if we can do anything else to help you on your journey to unique and random passwords for everything, we're more than happy.

FYI Apple does use 'Compromised Logins' for Login items for sites known to have experienced a breach for passwords not yet updated since the breach. Apple specifically states this in iOS report.

Also any similar or passwords re-used Apple iOS will alert you to - which is difficult for people to have very unique passwords. Unfortunately using multiple platforms makes having direct access to unique passwords a bit troublesome.

Would be great to have more than just an algo to check on similarities of accounts or sites breached.

 

[1P_Kate]

As mentioned above, I just realised, they might be older passwords, which have only been used once (for whatever reason), but might repeat for different websites.

That could totally make sense, especially if you never imported from Keychain which is super common. Apple does not make it easy to pull data out of Keychain (yet) so it's tough to import into 1Password. I do believe both iOS 15 and Monterey are coming with easier export ability if my memory is correct so hopefully this is a struggle of the past before too long, but given the current state of things the scenario you describe would not surprise me in the slightest.

Of course, if it's important for you to be certain, it is possible, if not easy, to get some Keychain data into 1Password so you have do a more direct comparison. I'll have to apologize here as my knowledge on this topic specifically isn't great, but we have a support community user who maintains a converter suite that can help you get data out of Keychain and get it into 1Password if some conditions are met. I believe iCloud Keychain needs to be enabled and you may need to "export" from macOS so if you only have these passwords on iOS, that may be a dead end. If it's not, though, and you decide to do that, I'd specifically import into a separate vault. That way, if you have duplicate entries in your Apple passwords, you can easily delete them later by just deleting the vault you put them in. And if you have questions about the converter, MrC is super responsive to support community posts so I would absolutely start a new thread there and ask away.

when Watchtower is enabled, is there some extra page where compromised logins are shown or something like that?

So right now there is not such a page in the iOS app, but any Login item that has been flagged by Watchtower for any reason will have a banner at the top letting you know what's wrong on iOS. All the same, I'd say you're right to shift to macOS. As it seems you've discovered, 1Password for Mac has a much easier to navigate system with each Watchtower category having its own sidebar section. Select the Watchtower category you want to tackle in the sidebar and your item list will be filtered down to only items with that flag.

With that said, working through Watchtower on iOS will be getting a ton easier in the not-too-distant future. I know this is Apple territory here at MacRumors, but if you've read about the release of 1Password for Linux or our 1Password 8 for Windows Early Access, you might have noticed a few hints that certain features are coming to other platforms as well. iOS is certainly among those platforms and the new Watchotwer Dashboard you see mentioned in those blogs posts is among the features we're planning to bring to ALL platforms. I can't give you a date on when you might see macOS and iOS get their Early Access releases because frankly I don't know myself what the plans are. But, keep an eye out and, if you're the adventurous type, feel free to give 'em a try when the time comes.

But what about reddit?

I do not keep an eye on reddit the way I used to when I lead our social CS team, but we definitely do have a few folks who keep track of r/1Password. We have also held some AMAs and the like with development and leadership on our subreddit. So, if something on r/1Password specifically hasn't got a reply, I'd be surprised if it were anything other than an oversight. Just the other day even I saw a teammate asking about a question he was replying to on reddit. You can always mention one of the mods in a comment to get some eyes on a thread and, of course, feel free to drop me a link if something needs an answer there. I'll make sure it gets in front of the right folks.

Now, if you're talking about other subreddits, that's a bit of a different story. This is both a blessing and a curse, but password managers are a hot topic in quite a few circles so tracking every place we might be mentioned is a tough ask. We generally have folks who browse places like this forum outside of work since we have strong Apple roots, but there is still an element of luck to whether or not we see any given post, try as we might. We absolutely make an effort, but the best way to make sure you get in touch with one of us is definitely to choose an official channel that's actively monitored every day: email, our support community, Twitter, Facebook, or our official subreddit. And, of course, if you're aware any of our staff use a given platform, I can't imagine any of my teammates would be upset to be mentioned on a thread that could use their attention.

Anyway, that's probably more of my babble than you bargained for, but hopefully it was helpful. As always, if I can answer any additional questions, ask away!